What began as a data breach among a few private universities at the turn of summer has now expanded into an interconnected web of compromised Social Security numbers, birthdates and school records that has claimed students and retired faculty alike.
According to two separate filings with the California and Maine attorney general’s offices, a compromise within the National Student Clearinghouse’s third-party file transferring service, MOVEit Transfer, has impacted nearly 900 colleges and universities and more than 51,000 people.
Progress Software, the parent company of MOVEit, first informed the Clearinghouse of a cybersecurity issue they were dealing with on May 31 that may implicate the education nonprofit’s student enrollment data. A month later, cybercriminals began exposing that stolen data on the dark web. Webster University (Mo.), Trinity College (Conn.), Middlebury College (Vt.) and St. Mary’s University (Texas) were among the first institutions to confirm their stolen student data.
The Clearinghouse’s filing with the Main attorney general’s office included a template document to send to those whose information was stolen. It explains to potential victims how to register for identity monitoring services and place a security freeze on one’s credit file.
The damage may be more extensive than we realize
The 900 colleges and 51,000 individuals affected by the Clearinghouse data breach provide us with a solid measure of the damage we can confirm has been done in three months. However, the Clearinghouse’s services extend to around 3,600 higher education institutions.
Besides accessing institutions’ data via the Clearinghouse, cybercriminals have exploited MOVEit’s vulnerability by other methods. The University System of Georgia and Johns Hopkins University directly access MOVEit. USG began sending out letters to those affected by it on September 3. For context, it’s the sixth-largest university system in the United States, with more than 300,000 students.
Cybercriminals also exploited several teacher and academic retirement systems. Among them are TIAA, The California Public Employees’ Retirement System (CalPERS) and the California State Teachers’ Retirement System (CalSTRS). The latter includes more than 940,000 state public educators.
TechTarget reports that over 2,000 organizations and 62,000,000 individuals have been confirmed to be affected.
Russian ransomware syndicate Clop (CL0P or ClOp) has taken responsibility for MOVEit Transfer’s security breach. They are expected to make over $75 million from their extortion tactics, Bleeping Computer reports.